Wholesale and Retail Trade

 

 

https://sm.asisonline.org/Pages/Crime-of-Opportunity.aspxCrime of OpportunityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652016-12-01T05:00:00Zhttps://adminsm.asisonline.org/pages/lilly-chapa.aspx, Lilly Chapa<p>​Over the past decade, retail and grocery stores have been turning to self-service checkout lanes to create a better shopping experience: making purchases will be easier and quicker, while store staff can be mobilized away from checkouts and into more customer-focused roles. However, self-checkouts and mobile shop-and-pay programs generate significantly higher rates of loss, a new report finds. </p><p>Developments in Retail Mobile Scanning Technologies: Understanding the Potential Impact on Shrinkage & Loss Prevention, a report by professors Adrian Beck and Dr. Matt Hopkins of the University of Leicester, analyzed data from nearly 12 million shopping trips from four major British retailers between 2013 and 2015. The researchers found that using self-checkouts in stores increased the rate of loss by 122 percent to an average of 3.9 percent of turnover.​​</p><p><img src="/ASIS%20SM%20Article%20Images/1216-asis-security-management-retail.jpg" alt="" style="margin:5px;" /><br></p><p>​<br></p>

Wholesale and Retail Trade

 

 

https://sm.asisonline.org/Pages/Crime-of-Opportunity.aspx2016-12-01T05:00:00ZCrime of Opportunity
https://sm.asisonline.org/Pages/Book-Review---Supply-Chain-Risk.aspx2016-10-01T04:00:00ZBook Review: Supply Chain Risk
https://sm.asisonline.org/Pages/Six-Food-Defense-Changes.aspx2016-06-01T04:00:00ZSix Food Defense Changes
https://sm.asisonline.org/Pages/Safety-at-Sea.aspx2015-07-20T04:00:00ZSafety at Sea
https://sm.asisonline.org/Pages/Surveillance-for-Security-and-Beyond.aspx2015-06-15T04:00:00ZSurveillance for Security and Beyond
https://sm.asisonline.org/Pages/Strategic-Shrink-Reduction.aspx2015-02-01T05:00:00ZStrategic Shrink Reduction
https://sm.asisonline.org/Pages/Chain-Reaction.aspx2015-01-01T05:00:00ZChain Reaction
https://sm.asisonline.org/Pages/Retail-Theft-Inc.aspx2014-10-01T04:00:00ZRetail Theft, Inc.
https://sm.asisonline.org/Pages/the-intelligence-triangle.aspx2014-09-01T04:00:00ZThe Intelligence Triangle
https://sm.asisonline.org/Pages/target-breach-offers-protection-lessons-0013247.aspx2014-04-01T04:00:00ZTarget Breach Offers Protection Lessons
https://sm.asisonline.org/Pages/fighting-counterfeiters-during-holiday-season-0013014.aspx2013-12-20T05:00:00ZFighting Counterfeiters During the Holiday Season
https://sm.asisonline.org/Pages/Shutting-Down-Retail-Theft.aspx2013-11-01T04:00:00ZShutting Down Retail Theft
https://sm.asisonline.org/Pages/loss-prevention-0012628.aspx2013-08-01T04:00:00ZGlobal Retail Crime and Loss Prevention Trends
https://sm.asisonline.org/Pages/asis-2012-seminar-showcase-0011133.aspx2012-12-03T05:00:00ZASIS 2012 Seminar Showcase
https://sm.asisonline.org/Pages/A-Wrinkle-in-Time.aspx2012-08-01T04:00:00ZA Wrinkle in Time
https://sm.asisonline.org/Pages/supply-chain-security-009867.aspx2012-06-01T04:00:00ZSupply Chain Security
https://sm.asisonline.org/Pages/Teaming-Up-on-Loss-Prevention.aspx2012-04-01T04:00:00ZTeaming Up on Loss Prevention
https://sm.asisonline.org/migration/Pages/planning-disaster-009598.aspx2012-03-01T05:00:00ZPlanning for Disaster
https://sm.asisonline.org/Pages/Checking-Out-Security-Solutions.aspx2011-12-01T05:00:00ZChecking Out Security Solutions
https://sm.asisonline.org/Pages/Experts-Share-Compliance-Tactics.aspx2011-12-01T05:00:00ZExperts Share Compliance Tactics

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Teaming-Up-on-Loss-Prevention.aspxTeaming Up on Loss Prevention<p>​</p><p>THE GREAT RECESSION HAS HIT MERCHANTS HARD. The U.S. Department of Labor estimates that more than a million retail positions have been lost and a significant portion of those jobs are not expected to return. With retailers suffering staff reductions at both stores and corporate headquarters, one of the biggest challenges for retail loss prevention (LP) departments is halting operational breakdowns that lead to loss. One way of doing so is through the creation and deployment of special in-store loss prevention/asset protection teams.</p><p>In an ideal retail environment, after inventory is acquired for sale and displayed, it is all sold and none of it is returned. That, of course, is not the reality. Out of any given inventory, some items are returned, others lost, damaged, or stolen. That’s known as “shrink,” and it is on the rise. According to the Global Retail Theft Barometer, an annual study underwritten by an independent grant from Checkpoint Systems, the global shrink rate increased by 6.6 percent when comparing 2010 to 2011.</p><p>One factor in the increasing percentage of shrink is the loss of experienced personnel who are knowledgeable about operations and procedures that can prevent problems that result in shrinkage. These workers are the front lines of a loss prevention/asset protection program. At the store level, for example, operational breakdowns from lack of experienced personnel take place across the spectrum of operations, leading to receiving errors, incorrect pricing of new goods or of merchandise slated for markdown, improper storage that results in damage to goods, unrotated perishable or expired items, and cash-handling laxities.</p><p>At the corporate level, similar personnel losses can lead to an absence of LP programs or the implementation of poorly designed and inadequate programs. The results can be catastrophic, causing wasted labor as well as unrecoverable losses that can spell the end of a business altogether.</p><p>The latter is not a baseless doomsday warning: in my capacity as the president and CEO of a retail LP consultancy, after having served for many years in retail LP with major multinational companies, I have seen retailers suffer these consequences, including two companies with more than 845 locations in 48 U.S. states.</p><p>Team LP<br>Companies may not be able to avoid personnel cutbacks or turnover, but they can mitigate the damage to the loss prevention program. One tested way to prevent the breakdown of LP processes after the loss of key personnel is to set up teams dedicated and trained to focus on LP and safety to help ensure that the locations are doing everything they can to limit loss from shrink and risk management exposures.</p><p>Like any good retail strategy, the LP team must have executive buy-in if it is to succeed. Unless this upper-level support is clearly communicated, and time budgeted, store managers will remain unconvinced that they should devote time and other resources to the team’s activities.</p><p>If the company’s head of LP is trying to sell such a program, part of getting corporate approval will be to provide return-on-investment data to company executives as well as the expected outcomes. In my experience, companies that institute these LP teams see a minimum of 10 to 20 percent reduction in shrink and accident costs per store. The cost of the team can be calculated by combining the time dedicated by each hourly associate and any ancillary costs. These ancillary costs can include items such as the cost of purchasing or developing training tools or of purchasing appreciation gifts to be used in a rewards program.</p><p>Set parameters. Once company executives pledge their support, the head of LP must set parameters for the LP team program so that the teams know what their objectives are. In the grocery sector, for instance, food quality assurance factors are imperative as are direct-to-store delivery procedures, while in specialty retailer stores, teams will focus more on higher-end product exposure.</p><p>The corporate LP department must create team tools, such as audits, checklists, and sample meeting agendas. The head of LP should seek input from other corporate departments, such as operations and training and development, as well as input from selected field leadership and store managers. </p><p>The LP head must also delineate communication avenues, including establishing a corporate contact point for all teams when global issues are identified. This could be a hotline or LP department contact person.</p><p>Some of my retail clients have chosen to implement teams that not only deal with LP but also with safety and risk management issues, including general-liability risk factors and associate safety and accident review. If safety is to be incorporated, all of the team’s activities should be laid out in the same way as LP activities, including a communication link through which issues can be reported at the corporate level. The assistance of corporate safety personnel should also be sought in developing related checklists, forms for problem identification and reporting, and other guidelines.</p><p>All of this information, when completed, should be compiled in a handbook and training guide. Sections should include member composition, meeting structure, team objectives, the communication process, and issue resolution.</p><p>Pick a leader. A store manager or highly motivated assistant manager should be selected to be the LP team’s leader—known as the sponsor. The sponsor’s role is to oversee and direct the team. That includes liaising with higher-ups regarding the team’s performance and findings. This person will also coordinate with other stores in the region on activities and trends.</p><p>Ideally, the person selected will be a top-performing assistant store manager—or someone with loss prevention and safety experience or who shows interest in these areas. This person should receive training from corporate LP on how to oversee the in-store team, how to provide support, how to keep the team on track, and how to accomplish the objectives without devoting more time or resources to these activities than called for in the corporate team directives.</p><p>Team sponsors should have that responsibility added to the key metrics on which they are assessed during their routine employee performance evaluation.</p><p>Corporate and or field LP supervisors in conjunction with the store manager need to pick strong hourly associate leaders for each team. These should be individuals who are respected in the stores, such as a well-regarded department manager or receiver. The rest of the team should be composed of associates selected by store management.</p><p>Depending on the size of each store, the LP team should be no smaller than three and no larger than eight members. I recommend this because above this number the labor expense begins to erode the return-on-investment model. If the retail environment includes a 24-hour work force, be sure to have representation on the team from all shifts.</p><p>To the extent possible, teams should be composed of long-term employees. The institutional knowledge of these associates is what enables an in-store LP team to succeed. Once a team is in place, wholesale changes should be avoided for the first year unless it is necessary due to ineffectiveness. Some new members should be rotated onto the team each year.</p><p>The team should be given something to mark its identity—for example, a special pin, badge, nameplate, or ribbon that makes team members recognizable to customers and other associates. Also, if at all possible, each of the team members should receive a small hourly pay increase for their added LP responsibilities. When members leave the team, a certificate of appreciation for their service or some other gift should mark the occasion. In this way, participation will be taken seriously by the team members and others, and good work will result.</p><p>Additionally, the LP team leader position has been used by several retailers as a management training step. Once an associate has proven his or her leadership capability as head of the team, the company places that person in the regular management training program.</p><p>Time management. The team should meet on a schedule set by the company—either weekly, biweekly, or monthly. When I develop these teams for clients, the team is directed to meet each week for one hour to set objectives and tasks, with one meeting per month dedicated to executing a loss prevention and risk management store audit, looking for issues such as high-end products that are left unsecured or an inoperable emergency door alarm, for instance. Another meeting structure might be a 10-minute meeting followed by 30-minute walk of the store to audit LP and safety issues, then a 15-minute resolution planning session, and a five-minute wrap-up.</p><p>The team sponsor needs to put limits on the time allocated to the LP teamwork—especially when a team is successful; otherwise, dedicated employees may overdo project work and shortchange their regular duties.</p><p>The team sponsor should also make sure that important boundaries are not crossed. For instance, at one store, an aggressive team leader embarrassed the other department managers with the LP team’s audit findings. This negatively affected store morale and caused the team leader to be replaced.</p><p>The team is empowered to identify operational breakdowns and to communicate them to local managers, but it should be done cordially and dispassionately. The team is not there to condemn peers or attempt performance coaching. This should be left to supervisors.</p><p>The team also has no enforcement role. It is most certainly not, nor should it see itself as, a replacement for shoplifting agents. The confrontation and apprehension of shoplifters is dangerous and must be left to authorized and trained staff.</p><p>Empowerment. When an audit turns up a problem, the team must be empowered to have it acknowledged, and they must see results. There is nothing more demoralizing for a team than to spot deficiencies, to follow the correct path to report the issue, and then see nothing happen in response because of a failure to act by authorities at the local store, regional, or corporate level.</p><p>But this isn’t just about team morale. Companies benefit when they act on team findings. When teams use the agreed upon line of communication to the corporation, and it responds, I have seen the correction of errors result in millions of dollars in revenue. At one store, for example, during an audit, the team found that a three-videogame multipack was being sold at the price of an individual game because of improper bar coding by the vendor. The team quickly alerted the company, which issued a recall of the product. In this case, the vendor was required to replace the bar codes on all existing stock and reimburse the retailer its lost revenue.</p><p>Senior management also needs to give the team feedback on what the team sends up the line. This should include acknowledgment of communications, information on when and how specific issues will be addressed, along with proper closure, and periodic commendations of the team for its good work. For example, the team’s success can be included in corporate newsletters and e-mails, or celebrated by regional management.</p><p>During my tenure as a field loss prevention supervisor for Walmart, we ran a district program recognizing the most effective in-store LP/safety team. The program caught the attention of founder Sam Walton, who implemented it companywide, leading to some of the lowest shrink levels the retailer had ever experienced.</p><p>The team should also be allowed to communicate within the store during store meetings, via internal e-mail, or in other ways that information is passed to associates. The team leader should review all communications to make sure they are targeted and clear.</p><p>My experience in the retail field and with clients over many years has proven that in-store LP teams, when properly deployed, are a powerful tool. During both good retail times and bad, effectively trained, managed, and supported teams bolster existing loss and risk prevention business processes, which in turn boosts the bottom line.</p><p>Keith Aubele, CPP, is president and CEO of Retail Loss Prevention Group, Inc., of Bentonville, Arkansas. He has previously been corporate vice president of loss prevention for Home Depot and divisional director of loss prevention for Walmart. He currently serves as the vice chair of the ASIS International Retail Loss Prevention Council.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Checking-Out-Security-Solutions.aspxChecking Out Security Solutions<p>​</p><p>SEASONED RETAIL LOSS PREVENTION VETERANS CAN recall the days of checking credit card slips, examining cash-deposit line items, conducting spot audits, and physically counting marked-down items to stay on top of shrinkage and loss challenges. Today, loss prevention specialists rely on increasingly sophisticated technology, especially in the area of point of sale (POS). Among the technologies bringing benefits are cloud computing, video analytics, radio frequency identification (RFID), automated cash management systems, and access control via smart keys.</p><p>Point of Sale<br>Several technologies are helping retailers catch problems at the checkout counter. Chief among these are the cloud and video analytics. To take advantage of new technology, almost all large retailers tie their POS systems to a surveillance camera system. Cameras play a critical role when deployed to monitor cash transactions at the point of sale. When tied to POS data, this video technology becomes even more powerful.</p><p>There are two ways in which this video can be helpful. First, the footage is married to the register’s own data records. In comparing the two, it is possible to catch discrepancies that may indicate accidental loss or intentional theft.</p><p>For example, the video would reveal instances when items on the bottom shelf of a shopper’s cart passed through a checkout lane without being rung up. That could be an honest oversight or theft. The video might also reveal possible “sweethearting”—when a cashier gives items to customers for free by pretending to scan bar codes or by using other tricks.</p><p>An investigation can determine whether the cashier legitimately tried to scan the item but didn’t notice that either a technical error occurred or the scan was incorrectly performed. If the case involves an honest mistake, not malfeasance, the cashier can be given additional training.</p><p>At some retailers, the loss prevention team is small and doesn’t have time to review suspicious transactions. A solution in this case is to outsource the review task, but the solution itself can create security exposures because to do the task, third-party providers must have access to the retailer’s proprietary customer data and to its network.</p><p>Another problem with the concept of having a system that captures all POS transactions and marries video to data is the demand this places on IT infrastructure. Most retailers do not have the capital to invest in building an adequate IT infrastructure. The advent of the cloud, however, offers another option. The cloud makes computing capacity a service to be rented, rather than a product that has to be purchased at a high up-front cost.</p><p>The cloud also means that retailers can now store their POS and camera system data with an off-site host that is completely removed from the company’s private IT network. The retailer only transmits to the cloud the information that it wants to divulge.</p><p>It can also be useful to combine POS video footage with analytics. For example, ScanItALL by StopLift Checkout Vision Systems of Cambridge, Massachusetts, runs video of the cashiers’ and customers’ body motions through an analytic process. Mathematically analyzing the pixels of digitized video, the system studies how a cashier handles each item to determine whether it was properly scanned. It can interpret fraudulent behaviors, such as when a cashier covers up a bar code, for example.</p><p>Some POS systems can also be set to look for items that are left in the cart as they proceed through the checkout line. This can be especially important in self-checkout lanes.</p><p>LaneHawk by Evolution Robotics Retail, Inc., of Pasadena, California, uses cameras tied to the POS system to spot items in the bottom of the basket. The system also links the products it sees at the bottom of the cart to its database, which sends the UPC bar code of the item to the cash register, adding it to the transaction. LaneHawk is currently in use at more than 1,000 individual grocery stores in the United States. Evolution Robotics also has another version of the product for similarly identifying items left in the main section of the cart.</p><p>Carttronics of San Diego offers special modified shopping carts that cannot be removed from the retailer’s property and are automatically disabled if they have not traveled through the checkouts, putting a stop to full-cart walk-outs and bottom-of-the-basket theft attempts.</p><p>Alarms<br>Another area where cloud computing is emerging as a benefit to retailers is in the real-time monitoring of video and alarm systems. In this case, alarm data is transmitted through the cloud to the vendor that responds to the alarms.</p><p>In this area, the change over to the cloud may be inevitable. Every day, voice over IP gains ground, and as the company AlarmCLOUD notes on its Web site, “The clock is ticking on landlines. The security industry has accepted that telcos will be pulling the plug on public switched telephone networks.” Alarm monitoring companies are faced with having to run IP receivers in house to accept IP signaling and are themselves turning to cloud services. For a monthly fee, companies such as AlarmCLOUD offer to save the alarm company the cost of equipment, labor, upgrades, and servicing.</p><p>Store Shelves <br>Some theft occurs in the aisles and can’t be caught at the POS. There are systems to address this threat also.</p><p>For example, Evolution Robotics has a product called ShelfHawk that is meant to combat the growing organized crime tactic of shelf sweeping in which whole shelves of items highly valued for resale, such as diabetic test strips, are stolen in bulk by being swept into a booster bag (a bag commonly used by retail thieves), leaving the shelf bare.</p><p>The ShelfHawk system uses strategically placed cameras to watch selected shelves and to report on suspicious activities such as dwell time—the length of time a person spends in front of shelved items. A longer dwell time indicates that the customer may be waiting for a chance to steal what is there. When the cameras pick up someone spending too long in a particular area, the analytics recognize this and sound an alert so that staff can check on the situation.</p><p>The system has the added benefit to the retailer of recognizing when a shelf needs to be restocked, sending an alert when, for example, the last box of teeth whitening strips in a row is removed, leaving only an empty space.</p><p>To deal with theft of individual items, there are also tags. Traditionally, retailers worldwide made a large investment in tags that used electronic article surveillance (EAS) technology, the components of which include the hard tags seen clipped to merchandise, the detector/pedestals placed at shop egress points, and the deactivators and detachers used at the checkout counters.</p><p>While EAS systems have proven their worth in stopping thefts, or at least alerting staff that a theft is occurring, they cannot tell retailers what has been taken. For example, an EAS system will set off an alarm indicating that something is being stolen. By contrast, an RFID tag can tell the retailer that a black silk woman’s blouse selling at $125.99 was the item that slipped out the door. This ability to know which item was taken reclassifies losses from “shrink,” which is defined as unknown loss, to known losses that can help retailers pinpoint the items that are vulnerable and need additional protection within a store.</p><p>The system can also help identify vulnerabilities by department or store location. For example, if reports generated by the system’s database indicate that a number of watches have been stolen in store locations in a particular geographic area, these items can be moved to a locked case. In other regions where there has been no watch theft, the increased protection may not be needed.</p><p>The components of most RFID inventory control systems are the tags, the readers, and the software that usually runs on a standard PC, which is Windows based. Because RFID tags are contactless, their information can be captured by readers that are placed to cover an entire environment, unlike bar-code inventory management systems, in which a scanning beam must pass over the tag. They are also less susceptible to damage or wear that can destroy bar codes.</p><p>One example of RFID loss prevention systems newly introduced to retailers is the OPI Loss Prevention System by Optical Phusion, Inc. (OPI). The system combines wireless communications capabilities with passive RFID technology and software. Hand-held scanning terminals can be configured to scan retail products and return a product description and current retail price, making it simple and fast for a manager to walk through a store and create a complete inventory of items.</p><p>To catch shoplifters, each RFID chip returns a unique identifier when it passes through the zone covered by the RFID readers and antennas that are placed in the front doors of each store. When the RFID reader detects a tagged item, it passes the information to the OPI Loss Prevention Controller software, which then transmits a command to alarm. Jamison, another RFID development company based in Hagerstown, Maryland, has developed a converged RFID/EAS technology that is able to bring the technologies together for the retail platform.</p><p>Not far away are the days when this same technology will allow customers to merely push a shopping cart past a reader and swipe a debit or credit card to make payment without waiting for each item to be scanned. Inventories will be automatically updated and any items secreted on individuals buying other items will be read automatically and added to the bill.</p><p>Entrance<br>Technology is also making it possible for stores to have some advance warning when trouble walks in the front door. For example, a facial recognition software system from T-Mobile scans the faces of incoming customers to see if any match a database of known previous shoplifters, bad-check writers, wanted criminals, and members of organized retail crime flash mobs.</p><p>Accounting<br>The back office is another area where technology is being put to good use by security. For example, retailers are beginning to take full advantage of cash recycling systems that not only reduce staff time for certain tasks in the accounting office but also increase cashier accountability. These systems typically reduce the cash on hand in a retail store, create instant deposits, and can be tied to banks and armored car services for immediate provisional cash credit. The systems also limit cash access by employees, creating a deterrent to theft and armed robbery.</p><p>One cash managing system, The Revolution by Tidel of Carrollton, Texas, is now being used by a number of retailers including Whole Foods, Hy-Vee, and United Groceries. (Security Management looked at this system in depth in its February 2010 “Case Study” column.) The Tidel product employs a unit about the size of a large photocopier that combines a drop vault, touchscreen user interface, cash and coin counters and dispensers, and a biometric palm scanner.</p><p>When cashiers arrive, they don’t need to collect their day’s tills from supervisors who received them from bookkeepers who prepared them in the predawn hours. A cashier goes to the machine and places his or her palm on the reader. Once the unit recognizes the cashier, he or she picks up an empty till with an attached bar code, and the machine scans it, linking the till to the cashier for that shift. The till is then inserted into a slot and the unit automatically dispenses the correct amount of bills and coins. The cashier removes the till and scans the bar code off a canvas bag in which he or she will place all of the checks, coupons, rain checks, and any other “media” that are collected in the course of the day. The process takes less than a minute to complete.</p><p>Access Control<br>Access control solutions for retail have recently seen the coming of intelligent key systems. Resembling key fobs with a metal cylinder at the head, these keys are programmable in a way similar to standard access control cards, allowing the system administrator to set parameters such as times the key is active and store doors or display cases on which it can be used, all based on an employee’s duties. For example, the smart key may let a store clerk assigned to the jewelry department open the display cases there but not let that employee open a case in electronics.</p><p>Developed by Medeco of Salem Virginia, a division of ASSA ABLOY, the system also collects data on use and use attempts, so if an employee tries to use his or her key to gain access to a proscribed area, that attempt will be recorded and flagged when the data is downloaded from the key at the end of the employee’s shift. Data from the keys can also help managers pinpoint areas where employee training may have been lax. It can, for instance, note when a display case was incorrectly relocked.</p><p>Some retailers are also employing smart key systems on their truck fleet to prevent dishonest truckers from picking the locks on trucks, removing goods, and reselling them.</p><p>Enterprise Management<br>Some providers are offering Web-based analytic management tools. Such systems help companies make the most of their physical security data. The platform may be built to integrate and manage security, safety, and operational systems such as surveillance, access control, alarms, and exception reporting.</p><p>These solutions pull from several applications—video, access control systems, and internal assessment processes—for better decision-making. One example is the Encapsulon Control platform by Wren Solutions of Jefferson City, Missouri.</p><p>Today’s retailers exist in an era with fiscal constraints and persistent criminal threats. The challenges are great, but targeted use of technology can help retailers manage risk and preserve profits.</p><p>Keith Aubele, CPP, is president and CEO of Retail Loss Prevention Group, Inc., of Bentonville, Arkansas. He was previously the corporate vice president of loss prevention for Home Depot and divisional director of loss prevention for Wal-Mart. He serves as the vice chair of the ASIS International Loss Prevention Council.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Utility-of-Securing-the-Electric-Supply.aspxThe Utility of Securing the Electric Supply<p>​</p><p>OUR SOCIETY IS BUILT in part on a foundation of reliable electrical energy. Utilities work to ensure the uninterrupted supply of electricity in the face of multiple threats, including copper thieves, marijuana growers, computer hackers, and potential terrorists. The experiences of three utilities, plus a look at how the industry as a whole is trying to improve information sharing, serve to illustrate the challenges this sector faces and the varied solutions that are helping to minimize the risks.</p><p>Copper Theft<br>EPCOR Utilities Inc., a power and water provider owned by the City of Edmonton, Alberta, Canada, owns or operates 50 facilities in Canada and the United States. One major security problem the company faced in recent years was the theft of copper.</p><p>Global economic growth over the past decade, especially in China and India, had created a high demand for industrial metals like copper, boosting their values to unprecedented levels. Understandably, this market has made copper, which is prevalent across the energy sector, a prime target for thieves.</p><p>According to a survey published in January by the Electrical Safety Foundation International (ESFI), electrical utilities sustained an estimated 50,193 thefts of copper during 2008. ESFI estimates that copper thieves hit 95 percent of electrical utilities in the United States. The copper stolen was valued at just over $20 million.</p><p>The full impact of copper theft, however, dwarfs the cost of the metal alone. Thefts in 2008 caused more than 317 days of power outages, ESFI found. Utilities also have to spend money on repairs, and when custom-ordered materials are stolen from construction projects, further activity is delayed while replacement equipment is ordered and manufactured. Thus, the total impact of that year’s thefts is estimated at more than $60 million, while utilities spent another $27 million trying to prevent future copper theft incidents.</p><p>Beyond these costs are the dangers that such thefts pose to thieves and utility workers alike. Most people think of electricity in the context of home wall outlets.</p><p>That amount of energy is relatively small, and safety is carefully engineered into delivery from the substation to the homes and appliances that use it. That same level of safety does not exist at the utility generating plant or substation. ESFI found that 52 people were injured while stealing copper last year, and 32 died. Thieves have died in substations wearing running shoes, using rubber-handled cutting tools, mistakenly thinking that they were protected, only to have massive arcs of electricity travel through the air and their bodies en route to the ground. Similarly, if a thief successfully steals a copper grounding cable, the next utility worker to service that equipment could get a fatal shock.</p><p>Thieves find copper in the form of wire in construction projects, derelict housing, distribution lines, telephone boxes, and electrical substations, among many other sources. Those committing the crimes run the gamut from desperate drug addicts to members of organized crime syndicates.</p><p>The common thread is opportunism. If would-be thieves don’t see copper or don’t think they can access it easily, they won’t even try. Thus, experience has shown that the best way of reducing the theft of copper is to reduce ease of access to it. </p><p>Realizing that a company’s technical and construction personnel are best positioned to limit exposure and given the clear nexus with worker safety, EPCOR Utilities addressed the problem by educating staff through its existing program of Safe Work Practices. It turned out that many workers were unaware of both the risks posed by copper thefts and how easily they could help to mitigate them. </p><p>Construction crews now clean up all scrap copper at the end of the day, and unused copper wire and grounding equipment must be either returned to service centers at night or securely locked away. </p><p>Other solutions have been improvised by workers in the field. When, for example, they are burying copper cable, crews make sure that they finish a given segment before heading home for the day; they don’t start segments they can’t finish that day so that equipment will not have to be left out overnight, which would be an invitation to thieves. </p><p>Another simple method of thwarting copper thieves is wire tagging, which essentially entails “branding” copper with a sign of ownership. It works on three fronts: it’s a deterrent to thieves, it can help authorities track down perpetrators, and it can alert legitimate scrap vendors to stolen materials. </p><p>Utilities typically set up scrap disposal contracts with an approved recycler; that company should be the only vendor handling that utility’s copper scrap. If a legitimate recycler spots a company’s tags on scrap offered by a third party, the recycler won’t buy it, discouraging future theft. </p><p>EPCOR Utilities uses two products: DataDot, which is an adhesive material containing sand-sized particles bearing a registered company PIN number, and DataTraceDNA, also developed by DataDot Technology Ltd. along with Australia’s state-run Commonwealth Scientific and Industrial Research Organization. DataTraceDNA is battleship gray-colored paint containing a signature ceramic taggant identifying the owner.</p><p>Stamping copper components with the name of the electrical utility that purchases them is another excellent method of marking copper. Grounding stakes, copper fittings, and wire can all be stamped. Another tactic is use of alternative conductors such as Copper Clad Steel, produced by Copperweld. The cable’s conductive copper binding constitutes only 3 percent of its diameter, leaving a thief with minimal resale value.</p><p>These measures, part of a broader, companywide security program, helped reduce overall shrinkage at EPCOR by two thirds from 2007 to 2008. Copper thefts—one of which cost the company $20,000 in metal alone—were all but eliminated in 2008, with only four minor thefts reported.</p><p>Copper’s market price peaked at $4 per pound in 2006, but it fell to $1.50 per pound in early 2009, and the rate of theft has fallen somewhat with it. This is not the end of the problem, though. Utilities know that when the global economy improves, copper theft will increase again.</p><p>Electricity Theft<br>BC Hydro and Power Authority is a provincially owned utility in Canada; it produces power for domestic use and export and manages small water supply operations in remote communities within British Columbia. For BC Hydro, a utility serving 94 percent of British Columbia’s population areas, the problem is electricity theft and the associated damage caused by it, which are estimated to cost the company $30 million annually. That figure is expected to rise to $60 million within a decade if left unchecked.</p><p>In British Columbia, 99 percent of energy theft is linked to illegal indoor marijuana cultivation operations, which require powerful lamp light 24 hours a day. Criminals tap into distribution circuits in various ways to bypass the electric meter. Some of their methods are quite sophisticated, and all are extremely dangerous. Beyond the obvious risk of electrocution to both perpetrators and utility workers, diversions can result in unstable circuits that can lead to house fires, explosions, and power surges across the circuit affecting all homes in the community.</p><p>Besides obvious physical tampering with a meter that would appear clearly to a company technician, the most telling indicators of diversion are a sudden drop in metered consumption and a sudden increase in actual power draw. To uncover these indicators, BC Hydro special investigation teams search for anomalies in the electric consumption records of customer premises and conduct field tests on distribution circuits, distribution feeds, and at the electrical meters.</p><p>Any diversion confirmed by BC Hydro is reported to law enforcement. While statistically, energy diversion can establish suspicion of marijuana cultivation, the decision of whether to investigate or pursue narcotics charges falls solely to police. And in Canada the utility’s lost rate fees are solely a civil matter except where restitution associated with a successful theft conviction is ordered by the courts. It falls to each utility to collect from the energy thief, and the matter is often settled before a civil court judge.</p><p>In the United States, the process is only slightly different, according to Scott Burns, a former criminal prosecutor and now executive director of the National District Attorneys Association. Nearly all U.S. states have criminal theft-of-service statutes, with penalties mirroring those for physical theft. The utilities are expected to report energy diversions to police. Then, as in Canada, it falls to police to decide whether to simply pursue theft charges or investigate possible drug cultivation.</p><p>Not all pot growers steal power. But most of them exact an exceptionally high draw on the grid, which presents critical safety concerns within a building. Thus, an amendment to British Columbia’s Safety Standards Act allows municipalities to request information regarding high consumption users without violating privacy.</p><p>High consumption is specifically defined in the law as consumption over 93 kilowatt-hours per day, compared to about 30 kilowatt-hours daily for a normal household. Records are provided to municipalities on written request from a designated public safety official, such as a fire marshal, to ensure that high consumption does not present a life-safety danger.</p><p>Cybersecurity<br>Manitoba Hydro, also a provincially owned power utility in Canada, generates and transmits power to Manitoba and the United States. Like other utilities, it was concerned about the cybersecurity of industrial control systems (ICS), including the supervisory control and data acquisition (SCADA) software used by utilities.</p><p>The vulnerability of these systems has gained attention in recent years as media reports have highlighted the potential threat posed by hackers breaking into these systems and remotely controlling or sabotaging the electric grid. An anonymously sourced article earlier this year in the Wall Street Journal, for example, reported that Chinese and Russian spies had both penetrated the North American electric grid and left behind bot-like programs that could possibly be activated at a later date to cripple the North American electricity infrastructure.</p><p>The report elicited the widest possible range of responses from network security experts. Some cast the report as an accurate and overdue public wake-up call for the utility sector. Others brushed off the report as a cynical bid from within the U.S. government to advance a policy agenda.</p><p>Utility security professionals who are disciplined about risk know that the greatest threat of cyberattack comes not from overseas or from a radicalized hacker but from within. Consider, for example, that in 2000, an Australian engineer quit his job with a contractor hired to install a SCADA system in a sewage treatment plant. When the utility did not hire him as an independent contractor, he accessed the SCADA system himself and dumped more than 200,000 gallons of raw sewage into area rivers, parks, and onto the grounds of a local hotel.</p><p>More recently, the U.S. government charged that a former IT contractor for California-based Pacific Energy Resources, Ltd., remotely disabled network systems the company used to alert them to leaks at off-shore oil rigs.</p><p>Addressing the threat, inside and out, requires a comprehensive, converged enterprise security plan with sound fundamentals, including strong procedures for ensuring personnel security and multiple factors of network access control that change regularly to prevent access by former employees or vendors.</p><p>Manitoba Hydro handles personnel risk assessment using a methodology established by the HR Policy Association that considers the nature of a worker’s position, the gravity of prior offenses, and the length of time since they occurred. While the company is already using this approach to assess new hires, assessments on longstanding employees are the subject of negotiations with unions.</p><p>With regard to network access control, the company recognizes that solid IT security requires regular training and awareness programs, along with use of passwords, tokens, and remote access authentication and encryption.</p><p>The electric utility sector as a whole is taking a major step toward bolstering both general and cybersecurity with a suite of nine critical infrastructure protection standards. Issued in 2005 by the sector’s self-regulation entity, the North American Electric Reliability Corporation (NERC), the standards address real or suspected sabotage, critical cyber-asset identification, security management controls, personnel and training, electronic security perimeters, physical security of critical cyber assets, systems security management, incident reporting and response planning, and recovery plans.</p><p>Implementation of the first standard applying to cybersecurity—critical cyberas set identification—generated an April memo from NERC Chief Security Officer Michael Assante, who indicated that utilities might require a more robust consideration of which assets are critical by first assuming that all assets are. NERC asked that member utilities “take a fresh, comprehensive look at their risk-based methodology and their resulting list of [assets] with abroader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control but also the potential misuse of those assets by intelligent threat actors.”</p><p>Assante’s letter implied that in initial assessments, the utility sector designated far fewer assets “critical” than NERC thought it should have. Testifying recently before Congress with Assante, Stephen T. Naumann of energy company Exelon Corp. assured lawmakers that “as owners, operators, and users of the bulk power system, electric utilities take cybersecurity very seriously.”</p><p>The first NERC standards were scheduled to become enforceable in July, with fines for noncompliance of up to $1 million a day, but the Federal Energy Regulatory Commission, which formally regulates the power sector, has urged industry compliance by the end of 2010, after which time it would take enforcement action.</p><p>Networking<br>A comprehensive regimen of information sharing between utilities and government agencies is a critical component of security. While communications occur today on an unprecedented scale, they are still not completely open and collaborative.</p><p>Countries like the United States have created regulatory agencies that seek to ensure the reliability of the bulk electric system and, as a prerequisite, the security of that system. The Department of Energy sets policy, the Federal Energy Regulatory Commission regulates U.S. utilities and the Department of Homeland Security (DHS) steers security policy, coordinated in part through NERC, which serves as the sector’s official information-sharing and analysis center.</p><p>Canada, by comparison, lacks a central regulatory agency for its electricity sector. Natural Resources Canada regulates environmental impacts, while provincial utility commissions represent consumers. Public Safety Canada administers national security and federal emergency management programs. But none of these agencies has jurisdiction over the publicly and privately owned electrical utilities across Canada. Like their American counterparts, major Canadian utilities—but not all of them—are affiliated with NERC through regional reliability coordinating councils.  The 32-member Canadian Electrical Association (CEA), the country’s private industry organization, has become the de facto voice for sector information sharing. Utilities security is addressed specifically by the CEA Security and Infrastructure Protection Committee (SIPC).</p><p>SIPC meets three times a year, and meetings feature closed-door “pens-down,” or off-the-record, sessions in which relevant experiences and concerns related to critical infrastructure protection can be discussed without fear of public disclosure. Several years ago, the committee agreed to include representatives from the Royal Canadian Mounted Police (RCMP) in a meeting. The first meeting demonstrated a need and desire for information and intelligence sharing and spawned a new level of participation and cooperation. Today, several federal government agencies join in these meetings to facilitate public-private information-sharing efforts and to provide classified briefings.</p><p>The RCMP, Public Safety Canada, and the Canadian Cyber Incident Response Centre were invited to subsequent SIPC meetings and their participation continues. Reciprocally, the RCMP has provided security clearances to CEA members who now participate in twice-yearly classified energy sector briefings.</p><p>The three government agencies are all partners in the national Integrated Threat Assessment Centre (ITAC). Sector members with secret-level clearance receive ITAC’s relevant intelligence products and participate in secret briefings in Ottawa. Most important, new trusted relationships between government and utility personnel have resulted in ongoing communication about threats and vulnerabilities. </p><p>Before these types of exchanges, sector-specific concerns like copper theft were relatively unknown to national officials from the RCMP. Similarly, many utility-sector representatives were unfamiliar with the threat posed by extremist environmental groups like the Earth Liberation Front. Collaboration has brought a new sense of understanding and cooperation to public and private participants.</p><p>CEA representatives recently attended a NERC cybersecurity meeting in Phoenix, Arizona, during which American counterparts shared their desire for more trusted person-to-person relationships with their federal agencies like the FBI and DHS. Canada’s effort has benefitted in part from its scale, with utilities and government serving a population roughly one-tenth that of the United States.</p><p>Canada’s information-sharing effort is not perfect. It is difficult to reach all critical infrastructure owner operators when they are not compelled to participate in information sharing. But the CEA’s SIPC model is providing an excellent conduit for information sharing in a way that is gaining momentum and trust.</p><p>A more formal information-sharing environment, such as the CEA established within Canada, could serve as a model for any country’s critical infrastructure sector. The end result would be better preparedness and better response capabilities, to the mutual benefit of all parties.  </p><p>Ross Johnson CPP, BMASc (Bachelor of Military Arts and Science), is senior manager, security and contingency planning for Capital Power Corporation in Edmonton, Alberta, Canada, and is a member of the ASIS Oil, Gas, and Chemical Industry Security Council. </p><p>Chris McColm, CPP, CFI (Certified Forensic Investigator), is corporate security manager for Manitoba Hydro and Gas in Winnipeg, Manitoba, Canada, and a member of the ASIS Utility Security Council. </p><p>Doug Powell, CPP, PSP, is manager, corporate security for BC Hydro and Power Authority, headquartered in Vancouver, British Columbia, Canada.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465